spectrocloud
diff --git a/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/architecture.md‎
Lines changed: 3 additions & 65 deletions b/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/architecture.md‎
Lines changed: 3 additions & 65 deletions
diff --git a/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/create-hybrid-node-pools.md‎
Lines changed: 123 additions & 31 deletions b/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/create-hybrid-node-pools.md‎
Lines changed: 123 additions & 31 deletions
diff --git a/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/eks-hybrid-nodes.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/eks-hybrid-nodes.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/import-eks-cluster-enable-hybrid-mode.md‎
Lines changed: 15 additions & 18 deletions b/‎docs/docs-content/clusters/public-cloud/aws/eks-hybrid-nodes/import-eks-cluster-enable-hybrid-mode.md‎
Lines changed: 15 additions & 18 deletions
@@ -39,71 +39,8 @@ Transit Gateway and AWS Site-to-Site Virtual Private Network (VPN).
 
 ![Example Amazon EKS Hybrid Nodes network architecture](/aws_eks-hybrid_architecture_eks-hybrid-architecture.webp)
 
-Hybrid network connectivity can be configured using a variety of methods, such as:
-
-- [AWS Site-to-Site VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html)
-- [AWS Direct Connect](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect.html)
-- [Software VPN](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/software-vpn.html)
-
-Refer to
-[Network-to-Amazon VPC connectivity options](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html)
-for guidance on all available options.
-
-### Configuration Requirements
-
-If using a VPN or AWS Direct Connect between AWS and your on-prem and edge environments, review the following
-configuration requirements.
-
-#### AWS
-
-<!-- Commented out until greenfield provisioning is available -->
-<!-- Configure your EKS cluster with static placement so that your nodes are assigned to specific Availability Zones (AZs)
-and fixed networking configurations. This is required because of the following reasons:
-
-- The VPN configuration must be set up with predefined routes and IP ranges.
-- Node placement cannot change dynamically across AZs.
-- Network paths need to remain consistent for VPN tunnels to function properly. -->
-
-Traffic routing in the Amazon EKS VPC requires the following mapping for hybrid nodes:
-
-- Route table entries mapping hybrid node CIDR ranges to VPN endpoint.  
-  For example, Hybrid Node CIDR 10.200.0.0/16 → VPN endpoint 172.16.0.1.
-
-- Route table entries mapping hybrid pod CIDR ranges to VPN endpoint.  
-  For example, Hybrid Pod CIDR 192.168.0.0/16 → VPN endpoint 172.16.0.1.
-
-- For AWS Direct Connect, map traffic to appropriate private subnet CIDR.  
-  For example, both CIDRs 10.200.0.0/16 & 192.168.0.0/16 → Private subnet 172.16.1.0/24.
-
-For AWS VPNs, configure two static routes for each of the following CIDRs:
-
-- Hybrid Node CIDR block.  
-  For example, Hybrid Node CIDR 10.200.0.0/16 → VPN endpoint 172.16.0.1.
-
-- Hybrid Pod CIDR block.  
-  For example, Hybrid Pod CIDR 192.168.0.0/16 → VPN endpoint 172.16.0.1.
-
-If you're using a Virtual Private Gateway or Transit Gateway, route propagation can be enabled to automatically populate
-your VPC route tables. Ensure you verify your route tables after propagation.
-
-#### On-Prem and Edge Locations
-
-For on-prem and edge VPNs, set up IPsec Phase 1 tunnels with Phase 2 security associations for the following:
-
-- Hybrid Node subnet to EKS VPC CIDR.  
-  For example, Hybrid Node subnet 10.201.0.0/16 → EKS VPC CIDR 10.100.0.0/16.
-
-- Hybrid Node pod CIDR to EKS VPC CIDR.  
-  For example, Hybrid Node Pod CIDR 192.168.0.0/16 → EKS VPC CIDR 10.100.0.0/16.
-
-You should also configure Border Gateway Protocol (BGP) or static routes on your on-prem or edge location router to
-ensure network traffic reaches the correct hybrid nodes. For static routing, this is explained in more detail during the
-[Configure Hybrid Node Networking for VPN Solutions](./create-hybrid-node-pools.md#configure-hybrid-node-networking-for-vpn-solutions)
-steps.
-
-A route must exist to send all traffic destined for the Amazon EKS VPC through a centralized VPN gateway, or
-alternatively, a unique VPN server IP can be defined for each hybrid node during the
-[Create Hybrid Node Pool](./create-hybrid-node-pools.md#create-hybrid-node-pool) steps.
+Refer to [Prepare Network](./prepare-environment/prepare-network.md) for help configuring the network in your AWS
+region, on-prem/remote environment, and inter-site connectivity.
 
 ## Operating System Compatibility
 
@@ -137,6 +74,7 @@ Palette supports the following authentication methods for your hybrid nodes:
     requiring a CA-signed certificate.
 
 - [AWS Identity and Access Management (IAM) Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)
+
   - IAM Roles Anywhere is not supported on some operating systems. Refer to the
     [Operating system considerations](https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-os.html#_operating_system_considerations)
     for up-to-date guidance.
 
@@ -138,7 +138,9 @@ Your cluster profile for hybrid nodes is now created and can be used in the
 - A cluster profile created for your hybrid nodes. Refer to
   [Create Cluster Profile for Hybrid Node Pools](#create-cluster-profile-for-hybrid-node-pools) for steps.
 
-- Verified network connectivity between your Amazon EKS cluster nodes and edge hosts.
+- Verified network connectivity between your Amazon EKS cluster nodes and edge hosts. Refer to
+  [Prepare Network - Inter-Site Connectivity](./prepare-environment/prepare-network.md#inter-site-connectivity) for
+  guidance.
 
   - If using a VPN, confirm that both tunnels of the site-to-site VPN connection are active and operational.
 
@@ -147,16 +149,76 @@ Your cluster profile for hybrid nodes is now created and can be used in the
 
     <!-- prettier-ignore -->
     <details>
-    <summary> Example ping command </summary>
+    <summary> Example </summary>
 
-    ```shell
-    kubectl exec --stdin=true --tty=true <debugPodName> -- ping <edgeHostIpAddress>
-    ```
+    1. Deploy a lightweight debug pod in your Amazon EKS cluster if one does not exist.
+
+       The following example command creates a pod named `debug-pod` using the Busybox image, which includes basic
+       networking utilities. The pod will stay alive for 1 hour (3600 seconds).
+
+       ```shell
+       export POD=debug-pod
+       kubectl run "$POD" --image=busybox --restart=Never -- sleep 3600
+       ```
+
+    2. From the debug pod in your Amazon EKS cluster, attempt to reach an active hybrid node.
+
+       Replace `<hybridNodeIp>` with an IP address from an active hybrid node.
+
+       ```shell
+       kubectl exec --stdin --tty "$POD" -- ping <hybridNodeIp>
+       ```
+
+    3. Check that the ping statistics from the output show a healthy connection.
+
+       Example healthy output.
+
+       ```shell hideClipboard
+       PING 10.200.1.23 (10.200.1.23): 56 data bytes
+       64 bytes from 10.200.1.23: icmp_seq=1 ttl=63 time=28.382 ms
+       64 bytes from 10.200.1.23: icmp_seq=2 ttl=63 time=27.359 ms
+       64 bytes from 10.200.1.23: icmp_seq=3 ttl=63 time=29.412 ms
+       64 bytes from 10.200.1.23: icmp_seq=4 ttl=63 time=30.345 ms
+
+       --- 10.200.1.23 ping statistics ---
+       4 packets transmitted, 4 packets received, 0% packet loss
+       round-trip min/avg/max/stddev = 27.359/28.875/30.345/1.091 ms
+       ```
 
     </details>
 
-  - Verify that your edge hosts can successfully ping the private IP address of an EC2 instance within the Amazon EKS
-    cluster's VPC.
+  - Verify that your edge hosts can successfully ping the private IP address of your AWS VPC gateway or an AWS worker
+    node within the Amazon EKS cluster's VPC.
+
+    <!-- prettier-ignore -->
+    <details>
+    <summary> Example </summary>
+
+    1. From an edge host in your on-prem environment, attempt to reach your AWS VPC gateway or an AWS worker node.
+
+       Replace `<awsGatewayOrNode>` with the IP address of your AWS VPC gateway or AWS worker node, for example,
+       `10.100.0.1` or `10.100.0.27`.
+
+       ```shell
+       ping <awsGatewayOrNode>
+       ```
+
+    2. Check that the ping statistics from the output show a healthy connection.
+
+       Example healthy output.
+
+       ```shell hideClipboard
+       PING 10.100.0.1 (10.100.0.1) 56(84) bytes of data.
+       64 bytes from 10.100.0.1: icmp_seq=1 ttl=64 time=27.5 ms
+       64 bytes from 10.100.0.1: icmp_seq=2 ttl=64 time=28.2 ms
+       64 bytes from 10.100.0.1: icmp_seq=3 ttl=64 time=29.1 ms
+       64 bytes from 10.100.0.1: icmp_seq=4 ttl=64 time=27.9 ms
+       --- 10.100.0.1 ping statistics ---
+       4 packets transmitted, 4 received, 0% packet loss, time 3999ms
+       rtt min/avg/max/mdev = 27.5/28.2/29.1/0.6 ms
+       ```
+
+    </details>
 
 ### Create Node Pool
 
@@ -221,7 +283,7 @@ nodes. Before proceeding, consider the following points:
 - This guide is specifically for VPN solutions that support and require manual static route configuration. If your VPN
   uses a different routing mechanism, these steps may not apply.
 
-- If your VPN supports BGP (Border Gateway Protocol), you may be able to skip manual route configuration entirely. BGP
+- If your VPN supports Border Gateway Protocol (BGP), you may be able to skip manual route configuration entirely. BGP
   can automatically advertise and update routes between your cluster and VPN. Check your VPN documentation for BGP
   neighbor configuration and route import procedures.
 
@@ -246,7 +308,7 @@ nodes. Before proceeding, consider the following points:
 
 - Access to your VPN configuration interface.
 
-### Configure Networking
+### Configure VPN Networking
 
 1. Issue the following kubectl command to list all CiliumNode resources in your cluster.
 
@@ -259,7 +321,7 @@ nodes. Before proceeding, consider the following points:
    ```shell hideClipboard
    NAME                                    CILIUMINTERNALIP   INTERNALIP    AGE
    edge-abc123def4567890example1           192.168.5.101      10.200.1.23   2h
-   edge-xyz987uvw6543210example2           192.168.6.102      10.200.2.34   3h
+   edge-xyz987uvw6543210example2           192.168.6.102      10.200.0.34   3h
    ```
 
 2. For each hybrid node, retrieve the `spec.ipam.podCIDRs` field to find the CIDR block allocated for pods active on
@@ -284,40 +346,74 @@ nodes. Before proceeding, consider the following points:
 
 4. For each hybrid node, add the following entries.
 
-   | **Field**              | **Description**                                                                                                         | **Example**        |
-   | ---------------------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------ |
-   | **Destination**        | Use the `podCIDRs` value for the hybrid node discovered in step 2.                                                      | `192.168.4.128/25` |
-   | **Next Hop / Gateway** | Specify the IP address of the hybrid node as listed in the CiliumNode resource under `internalIP` discovered in step 1. | `192.168.5.101`    |
+   | **Field**              | **Description**                                                                                                         | **Example**      |
+   | ---------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------- |
+   | **Destination**        | Use the `podCIDRs` value for the hybrid node discovered in step 2.                                                      | `192.168.5.0/25` |
+   | **Next Hop / Gateway** | Specify the IP address of the hybrid node as listed in the CiliumNode resource under `internalIP` discovered in step 1. | `10.200.1.23`    |
 
 5. Ensure the routes are saved and applied. The process varies depending on the VPN solution.
 
 ### Validate
 
-1. From a pod in your Amazon EKS cluster, attempt to reach an active pod on a hybrid node.
+1. Deploy a lightweight debug pod in your Amazon EKS cluster if one does not exist.
+
+   The following example command creates a pod named `debug-pod` using the Busybox image, which includes basic
+   networking utilities. The pod will stay alive for 1 hour (3600 seconds).
+
+   ```shell
+   export POD=debug-pod
+   kubectl run "$POD" --image=busybox --restart=Never -- sleep 3600
+   ```
+
+2. From the debug pod in your Amazon EKS cluster, attempt to reach an active hybrid node.
 
-   Replace `<podName>` with a pod in your Amazon EKS cluster and `<hybridPodIp>` with an IP address from an active pod
-   on a hybrid node.
+   Replace `<hybridNodeIp>` with an IP address from an active hybrid node.
 
    ```shell
-   kubectl exec --interactive --tty <podName> -- ping <hybridPodIp>
+   kubectl exec --stdin --tty "$POD" -- ping <hybridNodeIp>
    ```
 
-2. Check that the ping statistics from the output show a healthy connection.
+3. Check that the ping statistics from the output show a healthy connection.
 
    Example healthy output.
 
    ```shell hideClipboard
-   PING 192.168.5.10 (192.168.5.10): 56 data bytes
-   64 bytes from 192.168.5.10: icmp_seq=1 ttl=63 time=28.382 ms
-   64 bytes from 192.168.5.10: icmp_seq=2 ttl=63 time=27.359 ms
-   64 bytes from 192.168.5.10: icmp_seq=3 ttl=63 time=29.412 ms
-   64 bytes from 192.168.5.10: icmp_seq=4 ttl=63 time=30.345 ms
+   PING 10.200.1.23 (10.200.1.23): 56 data bytes
+   64 bytes from 10.200.1.23: icmp_seq=1 ttl=63 time=28.382 ms
+   64 bytes from 10.200.1.23: icmp_seq=2 ttl=63 time=27.359 ms
+   64 bytes from 10.200.1.23: icmp_seq=3 ttl=63 time=29.412 ms
+   64 bytes from 10.200.1.23: icmp_seq=4 ttl=63 time=30.345 ms
 
-   --- 192.168.5.10 ping statistics ---
+   --- 10.200.1.23 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 27.359/28.875/30.345/1.091 ms
    ```
 
+4. From an edge host in your on-prem environment, attempt to reach your AWS VPC gateway or an AWS worker node within the
+   Amazon EKS cluster's VPC.
+
+   Replace `<awsGatewayOrNode>` with the IP address of your AWS VPC gateway or AWS worker node, for example,
+   `10.100.0.1` or `10.100.0.27`.
+
+   ```shell
+   ping <awsGatewayOrNode>
+   ```
+
+5. Check that the ping statistics from the output show a healthy connection.
+
+   Example healthy output.
+
+   ```shell hideClipboard
+   PING 10.100.0.1 (10.100.0.1) 56(84) bytes of data.
+   64 bytes from 10.100.0.1: icmp_seq=1 ttl=64 time=27.5 ms
+   64 bytes from 10.100.0.1: icmp_seq=2 ttl=64 time=28.2 ms
+   64 bytes from 10.100.0.1: icmp_seq=3 ttl=64 time=29.1 ms
+   64 bytes from 10.100.0.1: icmp_seq=4 ttl=64 time=27.9 ms
+   --- 10.100.0.1 ping statistics ---
+   4 packets transmitted, 4 received, 0% packet loss, time 3999ms
+   rtt min/avg/max/mdev = 27.5/28.2/29.1/0.6 ms
+   ```
+
 ## When to Manually Repave Hybrid Node Pools
 
 Your hybrid node pools require manual repaving in these scenarios:
@@ -401,13 +497,9 @@ take effect, while restoring your nodes to the desired configuration.
 
 ## Resources
 
-- [Agent Mode](../../../../deployment-modes/agent-mode/agent-mode.md)
-
-- [Appliance Mode](../../../../deployment-modes/appliance-mode.md)
-
-- [EdgeForge Workflow](../../../edge/edgeforge-workflow/edgeforge-workflow.md)
+- [Prepare Edge Hosts](./prepare-environment/prepare-edge-hosts.md)
 
-- [Build Provider Images](../../../edge/edgeforge-workflow/palette-canvos/build-provider-images.md)
+- [Prepare Network](./prepare-environment/prepare-network.md)
 
 - [Worker Node Pool](../../../cluster-management/node-pool.md#worker-node-pool)
 
 
@@ -29,6 +29,8 @@ To learn more about Palette and Amazon EKS Hybrid Nodes, check out the following
 
 - [Architecture](./architecture.md)
 
+- [Prepare Environment](./prepare-environment/prepare-environment.md)
+
 - [Import EKS Cluster and Enable Hybrid Mode](./import-eks-cluster-enable-hybrid-mode.md)
 
 - [Create Hybrid Node Pools](./create-hybrid-node-pools.md)
 
@@ -37,22 +37,9 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge
   [Cluster Profile](../../../../user-management/palette-rbac/project-scope-roles-permissions.md#cluster-profile)
   permissions for guidance.
 
-- Ensure your environment has network access to Palette SaaS. Refer to
-  [Palette IP Addresses](../../../../architecture/palette-public-ips.md) for guidance.
-
-- Ensure [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed and available in your local workstation.
-
-- Access to your Amazon EKS cluster through kubectl.
-
-  - To access your cluster with kubectl, you can use the AWS CLI's built-in authentication capabilities. If you are
-    using a custom OpenID Connect (OIDC) provider, you will need to configure your kubeconfig to use your OIDC provider.
-
-    Refer to the [Access Imported Cluster with Kubectl](#access-imported-cluster-with-kubectl) section for more
-    information.
-
 - All networking prerequisites completed for hybrid nodes. Refer to
-  [Prepare networking for hybrid nodes](https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-networking.html)
-  for guidance. You will need to provide the following details during the import steps:
+  [Prepare Network](./prepare-environment/prepare-network.md) for guidance. You will need to provide the following
+  details during the import steps:
 
   - The Virtual Private Cloud (VPC) Classless Inter-Domain Routing (CIDR) range where your EKS cluster resides.
   - The CIDR ranges for hybrid nodes in other networks that need to connect to this cluster.
@@ -62,7 +49,7 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge
   [Prepare credentials for hybrid nodes](https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-creds.html) for
   guidance.
 
-  If you are using Systems Manager, you will need to provide the following details during the import steps:
+  If you are using AWS Systems Manager, you will need to provide the following details during the import steps:
 
   - The Activation ID assigned by AWS Systems Manager when creating an activation. This ID is used to associate hybrid
     nodes with your AWS account in Systems Manager.
@@ -72,7 +59,7 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge
     [Hybrid Nodes IAM Role](https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-creds.html#_hybrid_nodes_iam_role)
     created for AWS SSM hybrid activations.
 
-  If you are using IAM Roles Anywhere, you will need to provide the following details during the import steps:
+  If you are using AWS IAM Roles Anywhere, you will need to provide the following details during the import steps:
 
   - The Amazon Resource Name (ARN) of the IAM Roles Anywhere profile that defines which roles can be assumed by hybrid
     nodes.
@@ -88,6 +75,16 @@ Import your Amazon EKS cluster and enable hybrid mode to be able to create edge
 - An existing Amazon EKS cluster that has configured with the appropriate parameters to be imported into Palette. Refer
   to [Prepare EKS Cluster](./prepare-environment/prepare-eks-cluster.md) for guidance.
 
+- Ensure [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed and available in your local workstation.
+
+- Access to your Amazon EKS cluster through kubectl.
+
+  - To access your cluster with kubectl, you can use the AWS CLI built-in authentication capabilities. If you are using
+    a custom OpenID Connect (OIDC) provider, you will need to configure your kubeconfig to use your OIDC provider.
+
+    Refer to the [Access Imported Cluster with Kubectl](#access-imported-cluster-with-kubectl) section for more
+    information.
+
 ### Import Cluster
 
 1. Log in to [Palette](https://console.spectrocloud.com/).
@@ -517,7 +514,7 @@ Learn how to create a hybrid node pool on your cluster and add your edge hosts t
 
 - [Add AWS Account](../add-aws-accounts.md)
 
-- [Palette IP Addresses](../../../../architecture/palette-public-ips.md)
+- [Prepare Environment](./prepare-environment/prepare-environment.md)
 
 - [Create Role Bindings](../../../cluster-management/cluster-rbac.md#create-role-bindings)